efficient protection of kernel data structures via object partitioning
Download
Skip this Video
Download Presentation
Efficient Protection of Kernel Data Structures via Object Partitioning

Loading in 2 Seconds...

play fullscreen
1 / 22

Efficient Protection of Kernel Data Structures via Object Partitioning - PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on

Efficient Protection of Kernel Data Structures via Object Partitioning. Abhinav Srivastava , Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012. Outline. Introduction Related Work Sentry System Implementation Evaluation Conclusion. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Efficient Protection of Kernel Data Structures via Object Partitioning' - zeroun


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
efficient protection of kernel data structures via object partitioning

Efficient Protection of Kernel Data Structures via Object Partitioning

AbhinavSrivastava, Jonathon Giffin

AT&T Labs-Research, HP Fortify

ACSAC 2012

outline
Outline
  • Introduction
  • Related Work
  • Sentry System
  • Implementation
  • Evaluation
  • Conclusion
introduction
Introduction
  • Kernel-level malicious malware often uses DKOM(Direct Kernel Object Manipulation) to hide the process from the kernel’s process accounting list.
  • They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user
  • We present a system called Sentry that creates access control protections for security-critical kernel data.
related work
Related Work
  • Petroni et al. detect process which reachable in scheduler but not in process accounting list.
    • Cannot detect the list of loaded kernel modules, which do not offer multiple views.
  • XFI and BGI guarded write instructions subject to access control policy constraints.
    • Require all kernel drivers and modules to use this system
    • Low performance.
sentry system
Sentry System
  • Page-level Granularity: use hardware’s page read/write protection to enforce access control policy
  • Partitioning: to separate kernel data structure into regionswhich have different access control policies
  • Based on VM: to get full control to hardware page-fault handling and management
page level granularity
Page-level Granularity
  • Old methods
    • Applying policy checking is to check all possible write operation to kernel data Slow performance
    • Protecting a single security-critical member requires whole page to be protected Low memory utility
  • Sentry use structure partitioning and page write protection to apply access control policies
page level granularity cont
Page-level Granularity (Cont.)
  • How page write protection protect the data?
  • Simply using the write flag in page data structure
  • If someone tries to write to a protected page, a page fault happen, and a function sh_page_fault in XEN hypervisor is called to handle this event
  • Sentry changes the handling function to add a policy check:
    • If write is valid, then ignore this page fault and perform write operation
    • If write is invalid, then the write operation is denied
partitioning
Partitioning
  • Structures such as task_structand modulecontains a mix of security-critical and not-critical fields
  • Structure Division
  • Structure Alignment
partitioning structure division
Partitioning - Structure Division
  • Split original Objby creating a new data structure insecure_Objcontaining non-critical fields

structtask_struct

structtask_struct

uid_tuid, euid, suid

uid_tuid, euid, suid

gid_tgid, egid, sgid

gid_tgid, egid, sgid

u64 acct_rss_mem1

structlist_head tasks

u64 acct_vm_mem1

char comm[16]

structlist_head tasks

insecure_task_struct *insecure

void *journal_info

structinsecure_task_struct

unsigned long personality

unsigned long personality

structaudit_context *audit_context

structaudit_context *audit_context

char comm[16]

void *journal_info

u64 acct_rss_mem1

...

u64 acct_vm_mem1

partitioning structure alignment
Partitioning - Structure Alignment
  • Add a buffer to original Obj to separate security-critical members and non-critical members away
  • This can be done by using compiler options to insert or remove the alignment buffer

Page Size

struct module

struct module

enummodule_state state

enummodule_state state

structlist_head list

structlist_head list

char name[MODULE_NAME_LEN]

char buffer[BIG_SPACE]

const char *version

const char *srcversion

char name[MODULE_NAME_LEN]

...

const char *version

const char *srcversion

...

policy
Policy

A valid write operation can be performed by:

  • Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_beginto __init_end
  • Trusted Upgraders: Alteration reachable from most exported kernel functions, such as API provided by the Kernel
page creation registration
Page Creation & Registration
  • When creating a new instance of protected structure, Objand insecure_Objare put into a page frame separately, and add page write protection on the page containing Obj
  • The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation
implementation
Implementation
  • Use Linux 2.6 and Xen hypervisor
  • Change task_structand modulestructure using division and alignment respectively
  • Change Linux source code where use those structures into correct variable
    • current->journal_infocurrent->insecure->journal_info
    • Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux 2.6
    • This can be done by source-to-source transformation techniques, such as provided by CIL
implementation cont
Implementation (Cont.)
  • Structure Division
    • Apply on task_struct structure only
    • Categorized 28 of 122 members as critical
    • Change structure creation function kmem_cache_allocinto get_free_pagesand kmalloc
  • Structure Alignment
    • Apply on modulestructure only
    • Categorized 2 of 29 members as critical
    • Only a recompilation of the kernel
implementation cont1
Implementation (Cont.)
  • APIs to communicate to hypervisor
    • addPFNtoDB, removePFNfromDB, checkPFNinDB
  • Modify __sh_propagateto make a shadow of memory of guest operating system for monitor
  • Sentry check write operation’s vaildityby the eipregister when sh_page_faultis called, and traverse the stack frame using ebpto get full call trace
evaluation
Evaluation
  • Attack Prevention and Detection
evaluation cont
Evaluation (Cont.)
  • Performance on loading and unloading modules
    • Normal: no kernel memory protection
    • Protected: protection without partitioning
    • Sentry: both memory protection and partitioning
evaluation cont1
Evaluation (Cont.)
  • Performance on file system read/write
  • Memory page utility
    • A partitioned kernel used 6502 pages as compared to 6302 pages used by the unpartitioned kernel
evaluation cont2
Evaluation (Cont.)
  • Performance on real world jobs
  • Performance on process data structure
    • 1000 µs = 1 ms
evaluation cont3
Evaluation (Cont.)
  • False Positive Analysis
  • Since benign modules don’t directly modify security-critical kernel data, and uses exported APIs provided by kernel
    • For example, benign modules don’t directly modify run_list, but using enqueue_taskand dequeue_taskto modify this member, and those functions are valid APIs, so the modules can still works fine
  • Our system did not show any false positives and detected all attacks
conclusion
Conclusion
  • We create protected memory regions within the unified kernel data space.
  • We show how to optimize kernel memory space layout for the protection constraints created by our system.
  • We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.
ad